In early 2024, a dangerous bug was found in Apple's GPU driver, that could let a carefully crafted WebGL operation corrupt device memory on Apple Silicon, specifically the M series chips. Known as CVE-2024-11691, this vulnerability affects multiple Mozilla products, including Firefox and Thunderbird, on affected Apple hardware.
This post takes a deep look at how the flaw happens, how it can be exploited, and what users should do to stay safe.
What is CVE-2024-11691?
CVE-2024-11691 is a security bug in the Apple GPU driver used by M series devices. When an application—like Firefox or Thunderbird—calls certain WebGL (Web Graphics Library) routines, the driver fails to do proper memory bounds checks. This allows out-of-bounds (OOB) writes, causing memory corruption.
- Short summary: If you are running Firefox or Thunderbird on a Mac with Apple Silicon (M1, M2, M3, etc.), and visit a malicious website (or open a bad email in Thunderbird), your Mac could be compromised by corrupting the system memory.
Thunderbird < 115.18
Read the official Mozilla advisory here:
Mozilla Foundation Security Advisory 2024-23
Technical Details: How the Exploit Works
The heart of the bug is in the way the Apple GPU driver interacts with WebGL, the engine that lets web pages draw graphics.
A normal WebGL operation sends drawing instructions to the GPU. If the code requests to write to a position in memory outside the allowed buffer (out-of-bounds), this should fail or throw an error. Here, though, the Apple driver lets it happen—writing over adjacent memory, which could contain anything from browser internals to sensitive user data.
Here’s a conceptual JavaScript snippet showing the kind of logic an attacker would use
// Setup a WebGL context
const canvas = document.createElement('canvas');
const gl = canvas.getContext('webgl2');
// Intentionally create a small vertex buffer
const buffer = gl.createBuffer();
gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
gl.bufferData(gl.ARRAY_BUFFER, 16, gl.DYNAMIC_DRAW);
// Try to write way outside the buffer!
const arr = new Float32Array([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20]);
gl.bufferSubData(gl.ARRAY_BUFFER, , arr); // Out-of-Bounds Write
// Trigger rendering
gl.drawArrays(gl.POINTS, , 1);
In a vulnerable browser on a vulnerable Mac, this could force the driver to write the 17th, 18th, 19th, and 20th floats outside the memory reserved for the buffer, corrupting adjacent memory.
Real-World Threat
With careful manipulation, this kind of memory corruption can be upgraded from simple crashing to code-execution: the attacker could run arbitrary code on your device.
Mozilla describes the impact as:
*"Certain WebGL operations on Apple silicon M series devices could have led to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver..."*
(see: MFSA 2024-23)
Why Only Apple Silicon?
The bug exists in Apple's GPU driver—not in WebGL, nor in Firefox code itself! That’s why it only affects Apple M-series hardware. Other GPUs (Intel, AMD, etc.) on Mac, Windows, or Linux are immune, even if running old browser versions.
Apple Silicon uses a completely new, in-house GPU architecture. That’s why new bugs like this can sometimes pop up.
Proof of Concept & Detection
There is not yet a public, ready-to-use exploit, but security researchers have been able to craft proof of concept code. If you're curious, the general approach is to:
Use a large data input for buffer operations,
3. Watch for memory corruption (usually manifesting as a browser crash, rendering glitches, or—if you’re a very advanced attacker—a new shell).
How to Stay Safe
Simple: UPDATE YOUR BROWSER.
All patched versions listed above (Firefox 133+, ESR 128.5+, Thunderbird 133+) are safe.
In Thunderbird: Help → About Thunderbird.
If you are on a Mac with Apple Silicon, update as soon as possible.
Further References
- CVE Record for CVE-2024-11691 on NIST NVD
- Mozilla Foundation Security Advisory 2024-23
- Mozilla Bugzilla Entry for CVE-2024-11691
Summary
CVE-2024-11691 is a good example of why even modern hardware needs constant, rapid security testing. If you use Firefox or Thunderbird on an Apple M1, M2, or M3 machine, update now. Attacks using this bug could be silent, need no user interaction, and cause real damage.
Timeline
Published on: 11/26/2024 14:15:18 UTC
Last modified on: 12/13/2024 17:15:05 UTC